Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Wednesday, December 5, 2012

It isn’t, but
that is the very message youngsters in India are beginning to receive when
political activists riot outside their houses and haul their brothers and
sisters to nearby police stations. More so, when they are young, innocent and
unsuspecting victims of pranksters as in the recent case of a teenage boy, from
a suburb of Mumbai.

The prankster’s
modus operandi is simple. Spoof the victims Facebook ID or hack into his legitimate
one.Post an offensive message against
the political leader. Relax, and enjoy the drama which unfolds as the victim
faces the ire of the leader’s supporters and is embroiled in a police
investigation.

This strategy
was used by a prankster (or individual wanting to settle a score) to put a 19
year old lad in a state of emotional distress.The boy was escorted to the police station by people he knew from the
neighborhood in which he lived for the last 17 years. The cyber police after a brief
investigation cleared his name.

Some of
statements he made which were published in the Times of India show the fear and anguish
his family faced:

“I was scared when the
police detained me. I was worried for my parents and sister who wondered why
using the Internet should land someone in the police station”

“My sisters (one in
class 12 and another in class 8) were asking if using the Internet was a crime”

People
affected by offensive posts are entitled to follow the due process of the law
by filing complaints and allowing the police to investigate. But at the same
time they must be restrained from taking law into their own hands and hauling
individuals to police stations based on their own interpretation of posts
and tweets.

To be safe from
such problems remember that you are responsible for what you post online and
the wider audience that views it. Do take precautions to report spoofed
accounts as well as your legitimate accounts that have been hacked. The
responsibility for protecting your accounts rests on your use of best practices
while choosing passwords and while surfing the Internet.

Sunday, December 2, 2012

Multiple
arrests of social networkers over “allegedly offensive” posts under Section 66
A of the Indian IT Act has motivated pranksters and people seeking revenge to
hack into legitimate Facebook accounts or to setup spoofed accounts in their
victims name to circulate offensive and hate posts against well known political
leaders, communities and Indian national emblems.

In an
attempt to avoid being embroiled in tiresome police investigations or to face
the ire of political parties- social networkers who searched for spoofed
profiles in their name or found that their accounts were hacked into have
started reporting such instances to the Indian cyber police.

The lack of clear guidelines about
which content violates Section
66 A of the Indian IT Act has resulted in the flawed reasoning behind these
arbitrary arrests of innocent social networkers for banal posts and posts from
hacked accounts. It is advisable for Indian social networkers to proactively
check if their account was spoofed or hacked into and report those to the
respective social networking sites or the police.

Most online sites which accept
user-generated content have a‘reporting’ mechanism. Sites allow subscribers to
report others who violate their Statement of Rights and Responsibilities by
clicking the ‘Report’ or‘Block this Person’ type tick boxes. Users can report
profiles that impersonate them, use their photograph, list a fake name, that do
not represent a real person or carry abusive posts. They can also report
improper images, nudity, illegal drug use, the advocacy of terrorism or cyber
harassment.

Wednesday, November 28, 2012

Most
countries have enacted laws to police online publications that are libellous,
criminal and violate national security interests. Publishing and republishing
such posts and tweets is against the law. Cybercitizens and journalists need to
be aware that republishing posts by “liking”, “retweeting” or copying the
contents in news reports or blogs can also constitute a crime. Unfortunately,
the drafting of these cyber laws have introduced a level of subjectivity in
their interpretation and execution (Redefining
Section 66 A of the IT Act), which can be conveniently misused by third
parties to settle scores and for their political interests.

Last week there was a huge uproar in Mumbai,
India when two young girls were arrested for a Facebook post questioning the shutdown
in Mumbai to mourn the death of a popular political leader.One girl was arrested for writing the
Facebook post and the other for liking it. Both were charged for hurting
religious sentiment, a section which can attract three years of imprisonment. Both these incidents led to a widespread public condemnation
on the way the police interpreted the law, took action and the failure to
dismiss these cases by both the police and judiciary. The political pressure
from the people’s movement resulted in the suspension of the police officer who
registered the case and the transfer of a magistrate who allowed it to proceed without
sufficient assessment of its merits.

From what it
appears, the current case in Mumbai will lead to the adoption of a set of
procedures by the police to filter out frivolous complaints through a process
of validation of such complaints with their legal cell.

Cybercitizens
should bear in mind that the openness of the Internet allows posts to be seen
by a wider audience who may interpret their contents with a vastly different perspective
and motive than your close friends. They
may also use this opportunity to file complaints to further their political
interests, and in the process ensure complete disruption of normal life for the
person who wrote the post. It may be wise to bear in mind that your posts can
be misused by a person you trusted to settle scores or by strangers for their political
interests.

Appropriate
privacy settings and judicious review of what you post and tweet is essential.

A cybercafé which allows you to download software onto the desktop is probably unsafe. Other users could potentially download malware too onto it. Where necessary, use only those cybercafés that restrict users from having administrative access to their computers.

Wednesday, November 14, 2012

Entrepreneurs
abound on the Internet. Even those that set up sites which allow an anonymous individual, to repost your
intimate pictures (nudes or seminudes)
without your permission along with
your telephone number, location and Facebook profile link. It is a sure shot
recipe for reputation damage, emotional trauma and depression.Such sites allow ex-partners, jealous friends
and blackmailers an easy opportunity to publish such pictures to a wide audience
of people looking for casual sex and even send email links to your friend
circle.Intimate photos may be introduced
online in many ways as outlined in 3G,Cell
Phones, Social Networking and the not so Innocent Obsession.

These shady sites
are able to exploit sections of the law that protect sites from legal action
for contents posted by users. And in countries where pornography is legal, it allows
publication of such pornographic content. Copied below are some of the
guidelines for submission for one such site, which I do not wish to name to
provide it popularity it does not deserve.

·You
must send at least 2 pictures with your submission. At least one must be a full
or partial nude image.

·You
must send a phone number or Facebook link with your submission.

·You
must be 18+, and the person you are submitting must also be 18+, they also must
have been 18+ at the time that the pictures were taken.

·In
the event of any legal, criminal or civil action you agree to indemnify (the
Site) and its owners from involvement.

·Anything
that happens to you, legally, or otherwise, as a result of your submission/use
of this website, is not our fault or responsibility.

·By
submitting you are forming a ‘contract’ with (The Site) (an agreement to the
terms listed here) and allowing us to repost your content. You are considered
to be the actual poster of this content and we are simply reposting it for you.

The site in question, also offers a takedown
service for a fee. This is one of the ways, they profit.

Wednesday, November 7, 2012

Stay safe and better aware on social networks by following these simple tips:

Familiarize yourself with the privacy and security settings on your social networking site and set your desired level of privacy protection.

Protect your online reputation by being careful about what you post. What you post online stays online. Besides possibly causing reputation damage, the more information you post, the easier it is for someone else to use that information to steal your identity, track movements, or commit other crimes, such as stalking.

Be prudent, say no, and select only people you would like to invite onto your social network. Once you invite friends, their posts on your page can be viewed by your entire friends’ circle and vice versa. What they post could have an impact on your reputation.

Do not invite unknown strangers merely because they display an attractive photograph. This is a common technique used by spammers and those with malevolent intentions to gain access to you and your friend circle.

If someone is harassing or threatening you, remove them from your friends’ list and report them immediately.

Be cautious about posts which have embedded links, even if sent by your close friend, who may himself or herself be a victim. Spam or malicious links are couched in attractive posts to ensure they go viral.

Do not circulate objectionable content. Report such content if you come across it.

Do background profile checks and be wary of suspicious behavior of unknown people or friends of friends you invite on social networks.

Withdraw from suspicious groups or block people you begin not to trust.

Do not go unescorted to meet a stranger. This applies to you whether you are an adolescent, teenager or adult. There have been cases of men who went to meet a "pretty girl" from Facebook ending up being brutally beaten and robbed.

Any request for money from unknown persons you befriended online should be met with the greatest of scepticism.

Any request for money from a friend or a friend's friend should be verified first by a phone call or through other means.

Avoid revealing or sexually-attractive photographs in your profile, as it will draw the wrong kind of attention. But do put a recent photograph of yourself so that others can verify who you are.

Limit the dissemination of sensitive personal information, as technical flaws and advertising may reveal it to an unintended audience.

Monday, November 5, 2012

The use of
Section 66 A of the Indian IT Act to arrest a businessman, who tweeted that a
cabinet minister’s son was corrupt, drew sharp condemnation from twitter users
and the national press as it appeared Orwellian. The main issue was ironically
not on the use of the law, but on its definition which allowed its use in lieu
of other provisions to tackle defamatory statements. People feared that the
current definition would be used to instill fear and censor free speech online.

Section 66A of the Indian IT Act 2000
amendment 2008 states “

Any person who sends, by means of a computer
resource or a communication device,—

(a) any information that is grossly
offensive or has menacing character; or

(b) any information which he knows to
be false, but for the purpose of causing annoyance, inconvenience, danger,
obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will,
persistently by making use of such computer resource or a communication device,

(c) any
electronic mail or electronic mail message for the purpose of causing annoyance
or inconvenience or to deceive or to mislead the addressee or recipient about
the origin of such messages, shall be punishable with imprisonment for a term
which may extend to three years and with fine.

As a layman
reading the law, I felt the definition to be comprehensive enough to address a
wide range of cybercrimes, but not specifically able to distinguish between the
very petty and the more severe cases without going to the courts.

Laws are made
to accommodate the normal behavior and misbehavior of people and should not be
so encompassing that the definition in itself is difficult to interpret. There
is an anti social part in all Internet communication that all netizens are
willing to live with, such as those messages which results in annoyance, ill
will and inconvenience.

I believe
that the section could be furthered refined to target cases where people are
unduly harassed by vicious and relentless online messages which affect the
emotional behavior of victims, leading to depression, fear and suicides. Such communications
which include vulgar emails, death threats, blackmail, hate, sedition, and the posting
of a victim’s obscene pictures must be exemplified.

Sunday, November 4, 2012

The issue of
cyber trolling shot into online prominence with the tragic suicide of the 15
year old Amanda Todd. Innocent and trusting Amanda, then 13 was convinced to
flash her breasts by a smooth talking stranger over a webcam. The stranger
captured this image and tried to blackmail her for more private sessions. When
this failed, he mailed the picture to her friends and set off a relentless and
vicious cycle of cyber bullying. So persistent was the cyber bullying which
followed, that it ousted her from her school and locale, and even a full year
later when she was trying to put her life together in another place and school,
it caught up with her - leaving her nowhere to turn.

Wikipedia
define a troll as “someone who posts inflammatory, extraneous, or off-topic
messages in an online community, such as a forum, chat room, or blog, with the
primary intent of provoking readers into an emotional response or of otherwise
disrupting normal on-topic discussion.”

The anonymous
nature of social networks limits individual accountability, and fuels the
resultant breakdown of social norms and rules which allows a small percentage
of netizens called cyber trolls to indulge unchecked in vile and deviant
behavior. Cyber trolls prowl social networks anonymously for every opportunity
to post slanderous or downright insulting remarks on people both living and
dead, who they may know in real life or are just strangers. They display no
morals when writing demeaning comments on RIP pages, hurling hurtful taunts and
issuing death threats to children, teenagers and even celebrities.

If
individuals try to fend off their vitriol, they retaliate in packs often
encouraged by others who apparently laugh at their jokes; fuelling their sadism
and egging them on.

Every person
expects a certain amount of abuse as part of everyday social networking, but
when it crosses a threshold, both children and adult have been driven to
depression, drugs and ultimately attempt suicide, triggered by the ensuing
feeling of helplessness. Help is not at hand from social networking sites as
they refuse to police these messages and mediate content, regardless of whether
it was "potentially" offensive or controversial unless it violates
their terms of service.

One of the
better options for victims is not to retaliate and try their best to ignore
these comments. If they attempt to fight back, it is seen as a weakness which
is exploited by the pack mentality of trolls and their supporters inviting a
further barrage of spite.

Cybercitizens
should not support cyber trolls by agreeing with them or egging them on. Not
feeding these trolls and condemning their activities will help rein in their
deviant behavior. While incidents of cyber bullying may be widespread, they
vary in severity. Serious cases are few, but concerns due to the potential of
the problem do exist. It is also important for parents to be aware if their
child is a victim or a perpetrator of cyber bullying.

Wednesday, October 17, 2012

Indian newspapers recently carried reports captioned “Crimes
against women: Send porn MMS, emails, land in jail for 3 yrs, pay Rs 50,000
fine. Cybercrime through filming
and distributing of porn mmses of unsuspecting women, have always captured newspaper
headlines in India. Publicized cases have been few and convictions almost
negligible.

According to these reports an
amendment to the Indecent Representation of Women (Prohibition) Act 1986 was
cleared by the Indian Cabinet which brought in stringent penalties for
transgressors using electronic media. Until now the 26 year old act, only covered
print advertisement and publications

When I read the fine print of
the amendment it struck me that this was not in the least a law against
cybercrime, only an amendment to include the indecent representation of women
in electronic advertisements. Beyond proving how newspaper headlines can be
fallacious, it amply establishes that cyber laws are daunting to enact, and far
from practical implementation.

Trying to amend old laws to
accommodate new behavior in the Internet era is fundamentally flawed, though it
may be a quick fix.In the past, by using
print media, it was arduous for ordinary individuals to distribute indecent
content to scale. Consequently, when the act was written, twenty-six years ago,
it never considered this as an issue. But today, in the electronic world,
equipped with a mobile phone camera and the Internet, anyone with a dirty motive
or opportunity can do it. Such indecent online postings by solitary individuals
like trolls, bullies, pornographers, or even cybercitizens settling scores online
are commonplace.

New laws to tackle cybercrime must be written which embody the new genre
of criminal behavior and cybercitizen misdemeanors.

Monday, October 15, 2012

The
phone rang once and was instantly cut. Sixty year old Sally gave a passing
glance at the missed call number which began with + 22 – her local Mumbai code
and called back.At the other end of the
line, she heard the mournful shrieks of a women being beaten, and the savage
voice of a man hurling constant abuses. Worried, confused and in fear that she
may have received an SOS call, she asked “Who’s there, Is there a problem, Stop
it”.

In
the following 3-4 minutes, before she had time to think clearly, her phone
conversation was cut short, due to a lack of funds. The Rs 200 ($ 4) she had
recently topped up her account with, was exhausted. At the mobile store, she
was informed that as she made a call to a premium rate number which charged Rs
50 per minute, her balance was consumed. There was no refund. The telecom
provider was not at fault. She should have checked the number before she made
the call. Only later, did she read in the national newspaper that such frauds
were widespread.

As
she recounted this incident to her neighbor, she asked “If the frauds were so
well known should not the telecom company and the government have done
something about it”.

India is a large prepaid market, and international fraudsters
have conjured several tricks to coax vulnerable people into making such calls
to international premium rate numbers. Calls are charged at a premium to normal
calls. Such numbers are regularly used for adult sex, directory enquiries and voting
for contestants during game shows.

Fraudsters buy
these premium rate numbers from international telecom companies, and earn money
by sharing the revenue for calls made to these numbers. They grow their earnings
by raising call volumes using automated dialers and other such schemes to dupe
victims into calling these numbers. The revenue sharing arrangement, some would
argue, reduces a telecom’s self motivation to check such activity, unless
forced to do so by law or regulation.

The fraudster’s first objective is to dupe people into making
a call to the premium rate number. They do this by making several “ ring once
and cut” (missed) calls to a victims phone, thereby creating a sense of urgency
to call back, and to make the missed call
number appear local by using international numbers which are similar to local
codes. For example an international number +224 may be mistaken for the “022”
Mumbai code, by individuals unfamiliar with international dialing.

The second objective is to try and keep the victim
engaged on the call for as long a time as possible. A longer duration call
results in higher revenue to the fraudster. This is usually done, by playing a
recorded audio tape of a women being abused, having sex or by using a real life
operator masquerade as an agent for schemes such as a lottery the victim is
supposed to have won. The operator takes time to brief the victim on the win,
and even notes down personal details such as his or her postal address to mail
the award too. Personal information can later be used for other types of online
scams.

Stolen phones are also used to call premium rate
numbers.Fraudsters usually do this immediately
after the theft. Tourists who lose their
phones abroad will quickly find out that their set credit limits do not apply -
due to the delay in receiving billing data from the foreign carrier. Bills may
be huge.

Safety
Tips to Keep in Mind to Avoid Call Fraud

1.Do
not call back on unknown international numbers. Be suspicious of “a one ring
and cut” call.

2.Disable
the international dialing facility, if not needed

3.Report
a stolen phone and have the number blocked immediately

Actions
Telecom operators and the Law can take

1.Telecoms
should enable international calling on request, and not by default.

2.Telecoms
should detect if premium rate numbers were used fraudulently through a study of
call patterns

3.Governments
should enact strict laws and penalties to discourage such crimes

Wednesday, October 10, 2012

Most of us routinely carry many portable computing devices
which vary in shape, colour, size and function. From expensive laptops, tablets
and smartphones to cheaper eBook readers, portable hard drives and USB
drives.Invariably, some of us lose one
or more of these items through theft, physical damage, electronic failure or
misplacement.

For an individual owned device, the largest cost is the
replacement value of the asset.But
there are other inherent but non-tangible risks; such as the disclosure of
personal data like intimate pictures and private correspondence, the potential
misuse of email and social network accounts, and the access to stored business
data and emails.

Being aware off and alert in the situations where the
probability of losing these devices is the highest - is in itself an effective
safeguard against loss. Based on statistics, theft is most likely to
occur at home or from a car, physical damage through lax handling
during travel, and misplacement at security checkpoints in airports, hotel rooms
and in rented cars. Individuals are most vulnerable when in a hurry, have things
on their mind, act carelessly or in anger and carry to many gadgets.

Safety
tips that can be kept in mind are:

1.Label
the device with your name, address, email id and telephone number to assist in its
return

2.Use
full disk encryption to prevent access to data - both personal and business

3.Use strong
passwords to log onto the Operating System (e.g. Windows) to delay access to
email and social networking application where passwords were automatically saved
by the browser. We can only delay and not prevent access, as the operating
system password can be found out using password cracking tools.

4.Take
backups

5.Use
protective cases to prevent physical damage during travel

6.Immediately
change all passwords to email and social networking applications where
passwords were saved by the browser. Preferably, disable the browser function
which saves passwords and take the trouble to key in passwords each time.

Monday, October 8, 2012

While preaching
the Sunday sermon, our parish priest gave a vivid example of how a young mother
taught her ten year old son, a lasting lesson on keeping secrets.

He said
“Shirley was Beth’s neighbor and her best friend.Animatedly, over a cup of tea, at Beth’s
house she poured out the problems she was facing with her young daughter. As
she left, she asked Beth to keep what she told her a secret, as it would affect
her relationship with her daughter, if she or others came to know.

Later, Beth
realized that here ten year old son had overheard the entire conversation. She
called him and said “Ryan, if Shirley had to leave her purse in our house
today, would we give it to anyone or only to her”. Ryan replied, “Only to her
mama”. Then Shirley said, “Today, she left something even more valuable when
she shared her problems with me. We do not have the right to share them with
anyone”.

In this simple way she
taught her child the meaning of confidentiality.

In a similar
way, we as employees share an equal, or greater, responsibility to protect
corporate and customer personal data. Organizations, like individuals, have
their own set of confidential and personal customer data to safeguard against
loss, or theft by competitors and criminals. Companies need to keep secrets to
protect business interests and keep certain decisions confidential, safeguard
new product development, ensure customer data privacy and keep design secrets under
wraps as long as needed

Sunday, October 7, 2012

A flash crash
at the National Stock Exchange in India, brought down the Nifty (stock index) by
15.5%, and shut down the exchange for a short period of time. Circuit breakers
were triggered after a trader erroneously mistyped a single large order into
the system - interchanging the number of shares to be sold with the value of the
trade. The incident exposed two types of systemic failures – the inability to prevent
erroneous trade entries of abnormally large magnitude by traders, and the failure
of processes, software and systems of the exchange to swiftly freeze trade and shut
down the market, once the market volatility threshold of 10% was breached.

Most believe
that the definition of “Security” in Information Security is
only restricted to the set of measures an organization uses to protect
against malicious activities of external agents and company employees. But,
this is partly true – information security ensures not only the confidentiality,
integrity and availability of information; against external threats but also
from mistakes, errors, and faulty process and system design.

A good
security plan and its implementation will always take into account all the potential
misuse scenarios’ which have a harmful effect to an organizations reputation,
assets or compliance mandates. In layman’s terms- actions both malicious
and inadvertent that endangers a business.

Most data
breaches are due to simple acts of omission such as technical misconfigurations
by system administrators, use of default passwords and inadequate operational checks
and balances. Security, if well thought off and implemented can prove to be a
lifesaver by reducing the occurrence of operational risks in an organization’s
day to day operations.

The trading
firm, in the above incident had to purchase the shares back at higher prices to
stay in business. The cost to the company amounted to 50% of its net worth. Had
the firm put in place relevant checks and balances to validate large trades,
before they were keyed in the system by traders, they would have been spared the
financial loss.

On a different
note, a similar situation could have been arisen, if a malicious hacker or disgruntled
informed employee misused the system to crash the exchange with the execution
of a single large trade. An experienced security
professional would have brought in this perspective through a “misuse” scenario
while designing or reviewing the design of trading processes and software, and
recommended preventive controls.

Sunday, September 9, 2012

Social media
can be effectively manipulated to create a sense of panic among citizens on
communal lines, since rumors spread virally leaving little time for Governments
to clamp down on such communications.

Nation states’
which lack effective cyber enforcement and harbor radical elements enable
members of these group to post distorted information on social networks and
websites, without the fear of law. Such posts are intended to create conflict
and communal strife in their own and other countries.

In India, the
recent communal clashes between two communities in the North Eastern State of
Assam, gave an opportunity for radicals within other countries to post morphed
images of the supposed violence on social networks while instigating local
sleeper cells to send SMSes designed to trigger panic among people of North
Eastern origin working in large Indian cities like Bangalore, Hyderabad and
Pune. This resulted in mass panic and triggered an overnight exodus of over 50,000
people from these cities, forcing the Government to take the extreme step of
banning bulk SMSEs for a fortnight, in an effort to curb the panic.

There are
four lessons to be learned from this incident.

The first is
the obvious efficacy of such mass cyber hate campaigns and their ability to
fuel ideological cyber wars which affects the safety and security of citizens
directly. In the recent past, most of the state sponsored cyber war related
activities were for espionage or to take down industrial units.

Secondly, it
exposed the hurdles in speedily taking down hate posts and tweets through
popular sites like Twitter, and Facebook, in the viral phase of such
campaigns.Steps involved identifying
hate sites, reviewing them, finding consensus on blocking these sites and later
trying to get social networks outside of India’s jurisdiction to remove them
without court orders.India, is now
formulating an incident response mechanism to counter future hate campaigns.

Thirdly,
India realized that it did not have the ability to block hate posts on a state
or regional basis. This ability would be useful in putting out local conflicts.
India currently has the ability to block
URL’s at a national level and not at state level. Trying to build networks capable of regional
blocking requires reallocation of the ip schemes based on individual states,
and large investments in filtering technology.

Fourthly,
there is the need for a neutral international agency which solicits an
appropriate response from nations that are not keen on or unable to act against
hate actors operating from their soil, based on international treaties or
agreements.

Balancing the
need for a secure cyber space, while respecting the privacy and individual
freedom of cyber citizens and ensuring that the Internet remains open for
innovation are increasingly stressed in such situations. To prevent Governments from being forced to
enact regulations that prevent free use of the Internet, future collaborative
working between social networks and Governments is vital, as what they do or do
not do has an impact on people lives and safety.

Tuesday, September 4, 2012

Two members of a pan-India hacker group, "Indishell", and its
offshoots were arrested on Saturday 1 Sept 2012 for hacking into an e-commerce
website that specializes in mobile recharge. The hacker in question was the owner
of a cyber security firm. This highlights the dangers of choosing pen test vendors as the loss of vulnerability information is a significant threat.

The Government of India via its cyber institution CERT-IN, has a high
quality empanelment process, which includes a detailed expertise evaluation,
and involves a thorough check of the company’s background, experience and
personnel. The test challenge is of high quality (requiring both tool and manual
expertise). With a cut off score 90%, it is difficult to pass.

At the moment, we do not have an independent Indian body to
individually assess, background verify and accredited pen testers. Some large
companies do this on their own, undertaking external background verification
check for every consultant, and mandating basic qualifying certifications like
CEH.

Monday, September 3, 2012

Most security
controls are like drugs which cure potent diseases but bring along undesirable
side effects. These side effects affect
the ease of use of most electronic devices such as ATM’s, biometric devices, login on or even enrollment on web
sites. Design of controls must focus on how controls can be misused to
eliminate or reduce these side effects. The best way, though difficult to
implement, is to tuck security in the background where it works silently and invisibly.
Would we all not like to pay using our credit card
online, without the filling in of a lengthy form?

Take the case
of the Reserve Bank of India (RBI) doing away with the cash retraction systems
in ATM’s as it found that there were large numbers of dubious claims on the non
receipt of cash.The security feature
helped customers in instances when ATM’s did not disburse cash quickly and was
left behind by customers who thought the ATM was not working.

Another example
is the locking of accounts after a fixed number of failed authentication attempts.
This feature protected users from a variety of automated password attacks, reducing
the risk of account compromise where the password strength was low. The same
feature can also be used to create a minor inconvenience, if the account is
deliberately locked by malicious individuals.

CAPTCHA is
another feature, which prevents automated attacks during enrollment on web sites,
but with the sophistication in machine reading the design of CAPTCHA phrases
are becoming complicated for humans to read too. Invariably user success comes
after a few tries.

There are
many more such examples. Our challenge is to recognize the side effects and
work out ways to minimize them, rather than let customers live with them. This requires
better architectural designs and innovation in security technology.

Saturday, September 1, 2012

On
August 15, 2012 a virus infected 30,000 desktops of the world largest oil producer
Saudi Aramco, forcing disconnection of its IT systems from the external world,
and the launch of a massive exercise to cleanse the infection. The primary
objective of the virus was to erase all data from hard disks and report the
deleted file names to an external control center.The attack was undertaken by a group calling
itself the “Cutting Sword of Justice” which said in an ideological post on
Pastebin, that it was “fed up of crimes and atrocities taking place in various
countries around the world”.

Saudi
Aramco is one of the largest petroleum producing companies and accounts for a
significant portion of the Saudi economy.The hackers chose a Critical National Infrastructure target which is
the largest financial source for the Al-Saud Regime.A major disruption of Aramco’s oil production
networks would consequently have had a direct impact on global energy supplies
and the global economy. Aramco reported that it had air gapped its oil
production network thereby preventing damage to its oil production assets.

In
past attacks like Stuxnet, the development of similar malware was primarily
attributed to government funded units, but in this case the incident seems to suggest
that the virus was developed by a hacktivist outfit.If true, it indicates a new and disturbing
trend as previous Hacktivist methods were limited to the more mundane denial of
service attacks or hacking into web sites.

Antimalware products have also once again demonstrated how deficient they are in
defense against custom malware.

Sunday, August 26, 2012

The very recent episode of “The Naked Prince in Las Vegas”
amply demonstrated the commercial value of a celebrity's personal life.The party girl, who revealed naked
snaps of Prince Harry online, has reportedly been offered a 1 m$ package for the mobile
footage of the entire party.Was the secret filming planned or simply opportunity seized! I guess we will never know.

Privacy can easily been compromised with a mobile or spy
camera. There have been many instances of where such footage has been used for blackmail,
sold to porn sites or used by media.

Celebrities are most at risk, when they move out of closed
social circles and try to socialise like normal people.It must be difficult for royalty, who are caught between the need to adhere to tradition and personal
life.

Tuesday, July 31, 2012

Hosting an
event like the Olympics’ requires a large number of security personnel to
operate x-ray machines, search vehicles and stand guard at venues. For the
London 2012 Olympics over 10,000 personnel required to be recruited and trained
to prevent theft, activism and unruly activity. Mobilizing an enormous workforce
via temporary recruits or volunteers is an expensive affair for short events,
which usually results in poor or hurried training of personnel, and inadequate background
checks. It is not possible to recruit well in advance due to the large numbers
and need to contain staff costs. It may be said that the temporary workforce is used more for
mitigation of risks rather than removal of it, with the prime responsibilities for
security resting on the more qualified forces such as police and military
and their use of a defense in depth security cordon to protect athletes and
people in venues.

When I read
about the mysterious woman who walked alongside flag bearer Sushil Kumar in
red track top, blue pants and sneaker smiling, waving and soaking in the moment
as the Indian contingent walked the track it indicated a brazen gate crash into
what should have been considered the inner sanctum of the security
perimeter.

In this case,
it turned out to be a protocol breach. An over eager Indian student volunteer
taking up the opportunity to walk with the team. But it also indicated a large
failure of the security apparatus, volunteer training and supervision of
volunteers. The same security vulnerability could have been exploited by
terrorists for malicious ends.

Sunday, July 8, 2012

Thumb drives are extremely popular due to their
portability, convenience and low cost. Computer
users, at home or at work cannot do without a thumb drive for sharing digital
data such as files or music. Drives have
become so cheap that product vendors freely distribute them at product conferences
as giveaways or as repositories of digital product literature.Any digital product with a USB port and storage
capacity can be converted into a digital drive.A common example would be the ubiquitous smart phone.Thumb drives have also become fashion accessories
with drives disguised as pendants and pens making them harder to detect.

Most companies prohibit or regulate the use of USB ports
and the devices that can be connected to them. The US Government has forbidden the
use of such devices in Government and Defense departments post Wikileaks.USB’s are used in targeted attacks to
compromise systems which are physically isolated from the Internet or external
networks. Stuxnet, a cyber weapon which destroyed Iranian centrifuges spread
through a compromised USB drive.In a
more recent case, the Indian Eastern Naval Command was infected by malware
which allegedly spread through a compromised USB. According to news reports “The
malware is then thought to have created a secret folder on the drives where it
stored documents, and as soon as the drive was plugged into a computer
connected to the web, it sent the files to specific IP addresses”.

Users of USB drives face the risk of mass malware
designed for cyber crime involving spam or financial fraud or the more targeted
variety for espionage or cyber destruction. Malware normally propagates by
copying itself onto clean drives inserted into infected computers. There is a
probability of mass infection if the drive is infected at production or when
digital data (such as product brochures) are mass copied onto several thousand
drives.

In both these
cases, the common elements are a lack of security awareness or the pressure of
a deadline causing individuals to override the fundamental security principle of
not using third party USB drives, and an over reliance on antimalware products
to detect malware. Antimalware products have limited success in instances where
the malware is custom designed for select targets.

In the case of the
Iranian Stuxnet infection or the Indian Naval Leaks, the key introspection
point was the method in which the compromised drive entered the premises. These
installations are highly secure and forbid the use of outside drives (non
registered drives), therefore the use of an unauthorized drive or the
compromise of an internal drive needs detailed investigation into the human
element and motive behind it. It is an indicator that the technical methods to
prevent motivated individual using such drives was not as restrictive as it
needed to be.

Saturday, June 16, 2012

Flame is hailed as the most
sophisticated cyber weapon built to date. Discovered last month, it is currently
the most talked about issue in the security community.

Flame is designed to propagate by
intercepting window update requests to surreptiously install itself onto
computers. The virus has the ability to self propagate over a local network and
record audio,
screenshots, keyboard activity and network
traffic. This data, along with locally
stored documents, is sent to servers on the Internet controlled by the creators
of Flame.

Flame was primarily designed for
espionage and its use targeted to companies in the Middle East. The flame virus
is a normal application, with the major element of sophistication residing in
its method of self propagation and detection avoidance.

Cybercriminals today, use similar applications. Their delivery mechanisms
are not as sophisticated as the one in Flame. They also do not have the ability
to self propagate and instead rely on tricking cybercitizens into downloading
such applications onto a desktop or mobile phone.

These applications are built for a purpose, just like Flame was built for
espionage. The main motive of cybercriminals is money, and therefore these
applications are normally used for a variety of frauds such a premium sms scams,
fraudulent cash transfers in internet banking and even espionage.

The relative ease at which users adopt new
technology allows cybercriminals devise new ways to beat existing security
systems. For instance, the growth of the
mobile apps stores provides a simple way to infiltrate malicious applications
onto smartphones. Cybercriminals have
already built applications to beat the two factor authentication provided by
banks. Once installed on your device, they proxy all requests to your Internet
banking site through a cybercriminal controlled computer (actually call centers)
allowing cyber criminals to make fraudulent transactions.

At the moment, there are no mature security products that can easily detect
such applications as a first line of defense. Cybercitizens need to be cautious
on what they download and where they download it form.

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo